__________________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ __________________________________________________________ INFORMATION BULLETIN "libkadm5srv" Heap Buffer Overflow [MIT krb5 Security Advisory 2004-004] December 21, 2004 19:00 GMT Number p-075 [REVISED 07 Jan 2005] [REVISED 20 Jan 2005] [REVISED 14 Feb 2005] [REVISED 22 Feb 2005] [REVISED 28 Feb 2005] ______________________________________________________________________________ PROBLEM: The MIT Kerberos 5 administration library (libkadm5srv) contains a vulnerability in the password history handling code. PLATFORM: KDC software on all releases of MIT krb5, up to and including krb5-1.3.5. Programs which use the vulnerable functionality of libkadm5srv include: kadmind, kadmin.local, kadmind4 Debian GNU/Linux 3.0 Red Hat Desktop (v. 3) and (v. 4) Red Hat Enterprise Linux AS, ES, WS (v. 2.1 and v.3 and v.4) Red Hat Advanced Workstation 2.1 for the Itanium Processor SGI ProPack 3 Service Pack 3 Solaris, Solaris Enterprise Authentication Mechanism (SEAM) DAMAGE: An authenticated user could execute arbitrary code on the KDC host, compromising an entire Kerberos realm. SOLUTION: Install the security patch. ______________________________________________________________________________ VULNERABILITY The risk is LOW. An authenticated user could execute arbitrary ASSESSMENT: code. Note that an administrator must have made a password policy change in order for this vulnerability to occur. Exploitation of this vulnerability is believed to be difficult. ______________________________________________________________________________ LINKS: CIAC BULLETIN: http://www.ciac.org/ciac/bulletins/p-075.shtml ORIGINAL BULLETIN: http://web.mit.edu/kerberos/www/advisories/MITKRB5-SA- 2004-004-pwhist.txt ADDITIONAL LINK: Debian Security Advisory DSA-629-1 http://www.debian.org/security/2005/dsa-629 Red Hat Security Advisory RHSA-2005:012-10 https://rhn.redhat.com/errata/RHSA-2005-012.html SGI Security Advisory Update #24, 20050104-01-U http://www.sgi.com/support/security/advisories.html Red Hat Security Advisory RHSA-2005:045-13 https://rhn.redhat.com/errata/RHSA-2005-045.html Sun Security Alert 57712 http://sunsolve.sun.com/search/printfriendly.do?assetkey= 1-26-57712-1 CVE/CAN: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name= CAN-2004-1189 ______________________________________________________________________________ REVISION HISTORY: 01/07/2005 - added link to updated Debian packages available in Debian Security Advisory DSA-629. 01/20/2005 - added link to Red Hat Security Advisory RHSA-2005:012 that provides updated packages for this vulnerability as well as updates for the vulnerability described in CAN-2004-0971 (temporary file bug). 02/14/2005 - added a link to SGI Security Advisory Update #24, 20050104-01-U that provides a patch that includes updated SGI ProPack 3 Service Pack 3 RPMs for the SGI Altix family of systems. 02/22/2005 - added a link to Red Hat Security Advisory RHSA-2005:045 that provides updated packages for Red Hat version 4. 02/28/2005 - added a link to Sun Security Alert 57712 that provides updates for Solaris and SEAM addressing this vulnerability. [***** Start MIT krb5 Security Advisory 2004-004 *****] MIT krb5 Security Advisory 2004-004 Original release: 2004-12-20 Topic: heap buffer overflow in libkadm5srv Severity: serious SUMMARY ======= The MIT Kerberos 5 administration library (libkadm5srv) contains a heap buffer overflow in password history handling code which could be exploited to execute arbitrary code on a Key Distribution Center (KDC) host. The overflow occurs during a password change of a principal with a certain password history state. An administrator must have performed a certain password policy change in order to create the vulnerable state. (See MITIGATING FACTORS below.) No exploits are known to exist at this time, though a public discussion of the bug took place during the first weeks of December 2004, containing sufficient detail that someone could infer how to perform an attack. Exploitation of this vulnerability is believed to be difficult, due to the limited extent of the overflow. IMPACT ====== An authenticated user, not necessarily one with administrative privileges, could execute arbitrary code on the KDC host, compromising an entire Kerberos realm. [CAN-2004-1189] MITIGATING FACTORS ================== * Typically, only a principal satisfying the following conditions can trigger the buffer overflow upon password change: + have changed its password fewer times than the history count in its password policy + had its password policy's history count subsequently reduced to equal the number of times it has changed its password * There are other means of producing the vulnerable state, though they are significantly more complex and much less likely. All of these other methods involve a reduction of the password history count in a password policy. * A workaround exists (see FIXES). AFFECTED SOFTWARE ================= * KDC software on all releases of MIT krb5, up to and including krb5-1.3.5. The vulnerable library is libkadm5srv. Programs which use the vulnerable functionality of the library include: + kadmind (administration daemon) + kadmin.local (KDC-local administration client) + kadmind4 (krb4 compatibility administration daemon) FIXES ===== * WORKAROUND: Until your KDC programs and libraries have been patched, do not decrease the password history count on any policy in your Kerberos realm. Also, if you have already decreased the password history count on a policy at some point in the past, you should raise it to the maximum value that it has had in the past. * The upcoming krb5-1.4 release (currently in beta test) will contain fixes for this problem. The krb5-1.4-beta3 release contains fixes for this problem. * The upcoming krb5-1.3.6 patch release contains fixes for this problem. * Apply the following patch to src/lib/kadm5/srv/svr_principal.c, and recompile the affected libraries and binaries. This patch was generated against krb5-1.3.5, and may apply, with some offset, to earlier releases. This patch may also be found at: http://web.mit.edu/kerberos/advisories/2004-004-patch_1.3.5.txt The associated detached PGP signature is at: http://web.mit.edu/kerberos/advisories/2004-004-patch_1.3.5.txt.asc Index: svr_principal.c =================================================================== RCS file: /cvs/krbdev/krb5/src/lib/kadm5/srv/svr_principal.c,v retrieving revision 1.26.2.1 diff -c -r1.26.2.1 svr_principal.c *** svr_principal.c 2 Sep 2003 18:58:56 -0000 1.26.2.1 - --- svr_principal.c 20 Dec 2004 19:47:29 -0000 *************** *** 1017,1022 **** - --- 1017,1025 ---- memset(&adb->old_keys[adb->old_key_len],0,sizeof(osa_pw_hist_ent)); adb->old_key_len++; + for (i = adb->old_key_len - 1; i > adb->old_key_next; i--) + adb->old_keys[i] = adb->old_keys[i - 1]; + memset(&adb->old_keys[adb->old_key_next],0,sizeof(osa_pw_hist_ent)); } else if (adb->old_key_len > pol->pw_history_num-1) { /* * The policy must have changed! Shrink the array. *************** *** 1039,1048 **** histp[i] = adb->old_keys[j]; } /* Now free the ones we don't keep (the oldest ones) */ ! for (i = 0; i < adb->old_key_len - (pol->pw_history_num - 1); i++) for (j = 0; j < adb->old_keys[KADM_MOD(i)].n_key_data; j++) krb5_free_key_data_contents(context, &adb->old_keys[KADM_MOD(i)].key_data[j]); free((void *)adb->old_keys); adb->old_keys = histp; adb->old_key_len = pol->pw_history_num - 1; - --- 1042,1053 ---- histp[i] = adb->old_keys[j]; } /* Now free the ones we don't keep (the oldest ones) */ ! for (i = 0; i < adb->old_key_len - (pol->pw_history_num-1); i++) { for (j = 0; j < adb->old_keys[KADM_MOD(i)].n_key_data; j++) krb5_free_key_data_contents(context, &adb->old_keys[KADM_MOD(i)].key_data[j]); + free(adb->old_keys[KADM_MOD(i)].key_data); + } free((void *)adb->old_keys); adb->old_keys = histp; adb->old_key_len = pol->pw_history_num - 1; *************** *** 1052,1061 **** - --- 1057,1070 ---- } } + if (adb->old_key_next + 1 > adb->old_key_len) + adb->old_key_next = 0; + /* free the old pw history entry if it contains data */ histp = &adb->old_keys[adb->old_key_next]; for (i = 0; i < histp->n_key_data; i++) krb5_free_key_data_contents(context, &histp->key_data[i]); + free(histp->key_data); /* store the new entry */ adb->old_keys[adb->old_key_next] = *pw; REFERENCES ========== This announcement and related security advisories may be found on the MIT Kerberos security advisory page at: http://web.mit.edu/kerberos/advisories/index.html The main MIT Kerberos web page is at: http://web.mit.edu/kerberos/index.html CERT VU#948033: http://www.kb.cert.org/vuls/id/948033 CVE CAN-2004-1189: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1189 Administration library in MIT Kerberos 5 release krb5-1.3.5 and earlier has a heap buffer overflow in code which handles password history, possibly allowing authenticated attackers to execute arbitrary code on a KDC host. ACKNOWLEDGMENTS =============== Thanks to Michael Tautschnig for reporting this problem. Thanks to Chaskiel Grundman and Luke Howard for providing debugging help on the mailing list. DETAILS ======= The vulnerable function is add_to_history() in src/lib/kadm5/srv/svr_principal.c. The password history is stored as a ring buffer, represented as an array of osa_pw_ent_rec, which is adb->old_keys. The "next" pointer is an index into the array, adb->old_key_next, and the length of the array is stored in adb->old_key_len. The array is dynamically resized as needed, and there is no separate head pointer. The policy's history count is stored in pol->pw_hist_num, but the actual maximum number of keys stored in adb->old_keys is pol->pw_hist_num-1, since the "current" key data are also used for history comparisons when a password change occurs. The index value adb->old_key_next is permitted to index to a position one past the end of the array adb->old_keys if adb->old_key_next is less than pol->pw_hist_num-1. This out-of-bounds indexing is usually fixed up when add_to_history() enlarges the array on a subsequent call. If pol->pw_hist_num is reduced to adb->old_key_next after a password change that causes adb->old_key_next to index out of bounds, a subsequent password change will not run the resizing code, and add_to_history() will write a password history entry past the end of the array adb->old_keys. REVISION HISTORY ================ 2004-12-20 original release Copyright (C) 2004 Massachusetts Institute of Technology -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.5 (SunOS) iQCVAwUBQcdAH6bDgE/zdoE9AQEWogQAy7vS1GLO5gG/uX9rm15NUQEO5K07NaMu MdwZhITIR0tg5aIR2eecon1ahgdDFrZELnZ3G/+ArhLqH+yvmskmOLZGmRHQ9Q0l mMf4DbOWMQZgGNmbvTTAzg0GAuVYdw2+5acP7maj61O0nV9mQIOdeM7Y0HFj46QL EVf4jR0OsJY= =ZAwT -----END PGP SIGNATURE----- [***** End MIT krb5 Security Advisory 2004-004 *****] _______________________________________________________________________________ CIAC wishes to acknowledge the contributions of Massachusetts Institute of Technology for the information contained in this bulletin. _______________________________________________________________________________ CIAC, the Computer Incident Advisory Capability, is the computer security incident response team for the U.S. Department of Energy (DOE) and the emergency backup response team for the National Institutes of Health (NIH). CIAC is located at the Lawrence Livermore National Laboratory in Livermore, California. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide. CIAC services are available to DOE, DOE contractors, and the NIH. CIAC can be contacted at: Voice: +1 925-422-8193 (7x24) FAX: +1 925-423-8002 STU-III: +1 925-423-2604 E-mail: ciac@ciac.org Previous CIAC notices, anti-virus software, and other information are available from the CIAC Computer Security Archive. World Wide Web: http://www.ciac.org/ Anonymous FTP: ftp.ciac.org PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained via WWW at http://www.first.org/. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC) P-065: Cisco Default Administrative Password in Cisco Guard and Traffic Anomaly Detector P-066: Veritas Backup Exec Buffer Overflow Vulnerability P-067: PHP Multiple Vulnerabilities P-068: Sun Webmail Vulnerability P-069: Sun - Multiple Mozilla Vulnerabilities P-070: Updated Samba Packages P-071: Updated "gd" Packages P-072: Updated ZIP Packages P-073: Updated "libxml" Packages for Versions Prior to 2.6.14 P-074: “newgrp(1)” Local Privilege Escalation